« Floating Point Benchmark: Rust Language Added | Main | Reading List: Undercover Mormon »
Thursday, November 6, 2014
Reading List: Command and Control
- Schlosser, Eric. Command and Control. New York: Penguin, 2013. ISBN 978-0-14-312578-5.
- On the evening of September 18th, 1980 two U.S. Air Force airmen, members of a Propellant Transfer System (PTS) team, entered a Titan II missile silo near Damascus, Arkansas to perform a routine maintenance procedure. Earlier in the day they had been called to the site because a warning signal had indicated that pressure in the missile's second stage oxidiser tank was low. This was not unusual, especially for a missile which had recently been refuelled, as this one had, and the procedure of adding nitrogen gas to the tank to bring the pressure up to specification was considered straightforward. That is, if you consider any work involving a Titan II “routine” or “straightforward”. The missile, in an underground silo, protected by a door weighing more than 65 tonnes and able to withstand the 300 psi overpressure of a nearby nuclear detonation, stood more than 31 metres high and contained 143 tonnes of highly toxic fuel and oxidiser which, in addition to being poisonous to humans in small concentrations, were hypergolic: they burst into flames upon contact with one another, with no need of a source of ignition. Sitting atop this volatile fuel was a W-53 nuclear warhead with a yield of 9 megatons and high explosives in the fission primary which were not, as more modern nuclear weapons, insensitive to shock and fire. While it was unlikely in the extreme that detonation of these explosives due to an accident would result in a nuclear explosion, they could disperse the radioactive material in the bomb over the local area, requiring a massive clean-up effort. The PTS team worked on the missile wearing what amounted to space suits with their own bottled air supply. One member was an experienced technician while the other was a 19-year old rookie receiving on the job training. Early in the procedure, the team was to remove the pressure cap from the side of the missile. While the lead technician was turning the cap with a socket wrench, the socket fell off the wrench and down the silo alongside the missile. The socket struck the thrust mount supporting the missile, bounced back upward, and struck the side of the missile's first stage fuel tank. Fuel began to spout outward as if from a garden hose. The trainee remarked, “This is not good.” Back in the control centre, separated from the silo by massive blast doors, the two man launch team who had been following the servicing operation, saw their status panels light up like a Christmas tree decorated by somebody inordinately fond of the colour red. The warnings were contradictory and clearly not all correct. Had there indeed been both fuel and oxidiser leaks, as indicated, there would already have been an earth-shattering kaboom from the silo, and yet that had not happened. The technicians knew they had to evacuate the silo as soon as possible, but their evacuation route was blocked by dense fuel vapour. The Air Force handles everything related to missiles by the book, but the book was silent about procedures for a situation like this, with massive quantities of toxic fuel pouring into the silo. Further, communication between the technicians and the control centre were poor, so it wasn't clear at first just what had happened. Before long, the commander of the missile wing, headquarters of the Strategic Air Command (SAC) in Omaha, and the missile's manufacturer, Martin Marietta, were in conference trying to decide how to proceed. The greatest risks were an electrical spark or other source of ignition setting the fuel on fire or, even greater, of the missile collapsing in the silo. With tonnes of fuel pouring from the fuel tank and no vent at its top, pressure in the tank would continue to fall. Eventually, it would be below atmospheric pressure, and would be crushed, likely leading the missile to crumple under the weight of the intact and fully loaded first stage oxidiser and second stage tanks. These tanks would then likely be breached, leading to an explosion. No Titan II had ever exploded in a closed silo, so there was no experience as to what the consequences of this might be. As the night proceeded, all of the Carter era military malaise became evident. The Air Force lied to local law enforcement and media about what was happening, couldn't communicate with first responders, failed to send an evacuation helicopter for a gravely injured person because an irrelevant piece of equipment wasn't available, and could not come to a decision about how to respond as the situation deteriorated. Also on display was the heroism of individuals, in the Air Force and outside, who took matters into their own hands on the spot, rescued people, monitored the situation, evacuated nearby farms in the path of toxic clouds, and improvised as events required. Among all of this, nothing whatsoever had been done about the situation of the missile. Events inevitably took their course. In the early morning hours of September 19th, the missile collapsed, releasing all of its propellants, which exploded. The 65 tonne silo door was thrown 200 metres, shearing trees in its path. The nuclear warhead was thrown two hundred metres in another direction, coming to rest in a ditch. Its explosives did not detonate, and no radiation was released. While there were plenty of reasons to worry about nuclear weapons during the Cold War, most people's concerns were about a conflict escalating to the deliberate use of nuclear weapons or the possibility of an accidental war. Among the general public there was little concern about the tens of thousands of nuclear weapons in depots, aboard aircraft, atop missiles, or on board submarines—certainly every precaution had been taken by the brilliant people at the weapons labs to make them safe and reliable, right? Well, that was often the view among “defence intellectuals” until they were briefed in on the highly secret details of weapons design and the command and control procedures in place to govern their use in wartime. As documented in this book, which uses the Damascus accident as a backdrop (a ballistic missile explodes in rural Arkansas, sending its warhead through the air, because somebody dropped a socket wrench), the reality was far from reassuring, and it took decades, often against obstructionism and foot-dragging from the Pentagon, to remedy serious risks in the nuclear stockpile. In the early days of the U.S. nuclear stockpile, it was assumed that nuclear weapons were the last resort in a wartime situation. Nuclear weapons were kept under the civilian custodianship of the Atomic Energy Commission (AEC), and would only be released to the military services by a direct order from the President of the United States. Further, the nuclear cores (“pits”) of weapons were stored separately from the rest of the weapon assembly, and would only be inserted in the weapon, in the case of bombers, in the air, after the order to deliver the weapon was received. (This procedure had been used even for the two bombs dropped on Japan.) These safeguards meant that the probability of an accidental nuclear explosion was essentially nil in peacetime, although the risk did exist of radioactive contamination if a pit were dispersed due to fire or explosion. As the 1950s progressed, and fears of a Soviet sneak attack grew, pressure grew to shift the custodianship of nuclear weapons to the military. The development of nuclear tactical and air defence weapons, some of which were to be forward deployed outside the United States, added weight to this argument. If radar detected a wave of Soviet bombers heading for the United States, how practical would it be to contact the President, get him to sign off on transferring the anti-aircraft warheads to the Army and Air Force, have the AEC deliver them to the military bases, install them on the missiles, and prepare the missiles for launch? The missile age only compounded this situation. Now the risk existed for a “decapitation” attack which could take out the senior political and military leadership, leaving nobody with the authority to retaliate. The result of all this was a gradual devolution of control over nuclear weapons from civilian to military commands, with fully-assembled nuclear weapons loaded on aircraft, sitting at the ends of runways in the United States and Europe, ready to take off on a few minutes' notice. As tensions continued to increase, B-52s, armed with hydrogen bombs, were on continuous “airborne alert”, ready at any time to head toward their targets. The weapons carried by these aircraft, however, had not been designed for missions like this. They used high explosives which could be detonated by heat or shock, often contained few interlocks to prevent a stray electrical signal from triggering a detonation, were not “one point safe” (guaranteed that detonation of one segment of the high explosives could not cause a nuclear yield), and did not contain locks (“permissive action links”) to prevent unauthorised use of a weapon. Through much of the height of the Cold War, it was possible for a rogue B-52 or tactical fighter/bomber crew to drop a weapon which might start World War III; the only protection against this was rigid psychological screening and the enemy's air defence systems. The resistance to introducing such safety measures stemmed from budget and schedule pressures, but also from what was called the “always/never” conflict. A nuclear weapon should always detonate when sent on a wartime mission. But it should never detonate under any other circumstances, including an airplane crash, technical malfunction, maintenance error, or through the deliberate acts of an insane or disloyal individual or group. These imperatives inevitably conflict with one another. The more safeguards you design into a weapon to avoid an unauthorised detonation, the greater the probability one of them may fail, rendering the weapon inert. SAC commanders and air crews were not enthusiastic about the prospect of risking their lives running the gauntlet of enemy air defences only to arrive over their target and drop a dud. As documented here, it was only after the end of Cold War, as nuclear weapon stockpiles were drawn down, that the more dangerous weapons were retired and command and control procedures put into place which seem (to the extent outsiders can assess such highly classified matters) to provide a reasonable balance between protection against a catastrophic accident or unauthorised launch and a reliable deterrent. Nuclear command and control extends far beyond the design of weapons. The author also discusses in detail the development of war plans, how civilian and military authorities interact in implementing them, how emergency war orders are delivered, authenticated, and executed, and how this entire system must be designed not only to be robust against errors when intact and operating as intended, but in the aftermath of an attack. This is a serious scholarly work and, at 632 pages, a long one. There are 94 pages of end notes, many of which expand substantially upon items in the main text. A Kindle edition is available.
Posted at November 6, 2014 23:49